Conformance testing: add auth conformance testing#806
Conversation
Kehrlann
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Auth Conformance | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| scenario: | ||
| - auth/metadata-default | ||
| - auth/metadata-var1 | ||
| - auth/metadata-var2 | ||
| - auth/metadata-var3 | ||
| - auth/basic-cimd | ||
| - auth/scope-from-www-authenticate | ||
| - auth/scope-from-scopes-supported | ||
| - auth/scope-omitted-when-undefined | ||
| - auth/scope-step-up | ||
| - auth/scope-retry-limit | ||
| - auth/token-endpoint-auth-basic | ||
| - auth/token-endpoint-auth-post | ||
| - auth/token-endpoint-auth-none | ||
| - auth/pre-registration | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: '17' | ||
| distribution: 'temurin' | ||
| cache: 'maven' | ||
|
|
||
| - name: Build client | ||
| run: mvn clean install -DskipTests | ||
|
|
||
| - name: Run conformance test | ||
| uses: modelcontextprotocol/conformance@v0.1.15 | ||
| with: | ||
| mode: client | ||
| command: 'java -jar conformance-tests/client-jdk-http-client/target/client-spring-http-client-1.0.0-SNAPSHOT.jar' | ||
| scenario: ${{ matrix.scenario }} | ||
| expected-failures: ./conformance-tests/conformance-baseline.yml |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 16 hours ago
To fix the problem, the workflow should explicitly declare restricted GITHUB_TOKEN permissions instead of inheriting the repository default. Since this workflow only checks out code, sets up Java, builds with Maven, and runs conformance tests, it only needs read access to repository contents (and possibly to packages if they are pulled, though none are explicitly shown).
The best minimal fix without changing functionality is to add a root-level permissions block right under the name: and on: keys so that it applies to all jobs that do not override it. A conservative and commonly recommended baseline is:
permissions:
contents: readThis grants read-only access to repository contents, which is required by actions/checkout and is sufficient for the rest of the steps as written. No other scopes (issues, pull-requests, actions, etc.) are needed based on the shown YAML. Concretely, in .github/workflows/conformance.yml, add the permissions mapping after the on: block (or directly after name: if you prefer) and before jobs:. No imports or additional definitions are needed, since this is pure workflow configuration.
| @@ -6,6 +6,9 @@ | ||
| branches: [main] | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| server: | ||
| name: Server Conformance |
Kehrlann
force-pushed
the
dgarnier/auth-conformance
branch
4 times, most recently
from
3531b3a to
b0e1423
Compare
Kehrlann
force-pushed
the
dgarnier/auth-conformance
branch
from
b0e1423 to
5c78eb9
Compare
Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
Kehrlann
force-pushed
the
dgarnier/auth-conformance
branch
from
5c78eb9 to
f58187d
Compare
|
👏 🚀 |
3 participants
Conformance testing for the
authsuite.Motivation and Context
See MCP Conformance repo.
How Has This Been Tested?
Self-testing.
Breaking Changes
n/a
Types of changes